Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47208

CVE-2026-47208: VM2 Sandbox Breakout RCE Vulnerability

CVE-2026-47208 is a sandbox breakout vulnerability in VM2 for Node.js that allows attackers to escape the sandbox and execute arbitrary code on the host. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-47208 Overview

CVE-2026-47208 is a sandbox escape vulnerability in vm2, an open source virtual machine and sandbox library for Node.js. Versions prior to 3.11.4 allow attackers to break out of the sandbox boundary. Once outside the sandbox, attackers execute arbitrary commands on the underlying host system. The maintainers patched the issue in version 3.11.4.

The vulnerability is tracked under [CWE-913: Improper Control of Dynamically-Managed Code Resources]. Because vm2 is commonly used to evaluate untrusted JavaScript in server environments, exploitation directly converts attacker-supplied scripts into host-level command execution.

Critical Impact

Attackers who can submit JavaScript to a vm2 sandbox can execute arbitrary commands on the host with the privileges of the Node.js process.

Affected Products

  • vm2 versions prior to 3.11.4
  • Node.js applications embedding vulnerable vm2 releases
  • Downstream packages that depend on vm2 for untrusted code evaluation

Discovery Timeline

  • 2026-06-12 - CVE-2026-47208 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-47208

Vulnerability Analysis

vm2 implements a JavaScript sandbox by wrapping Node.js vm module contexts and proxying access to host objects. The library aims to isolate guest code from the host runtime by intercepting prototype access, property lookups, and exception handling. CVE-2026-47208 defeats this isolation and gives guest code direct access to host objects.

Once guest code reaches a host object reference, it can resolve the host process global. From there, attackers invoke child_process.execSync or similar APIs to spawn commands. The result is arbitrary command execution in the context of the Node.js process hosting the sandbox.

Applications that use vm2 to run user-supplied templates, plugins, or expressions are directly exposed. Many software-as-a-service platforms, low-code engines, and serverless workflow products fall into this category, which broadens the practical attack surface.

Root Cause

The root cause is improper control of dynamically managed code resources within the sandbox boundary [CWE-913]. The sandbox fails to fully mediate every path through which guest code can reach a host object. The maintainers addressed the gap in commit a462655009669c3124ee39498121651597529ea8, released as version 3.11.4.

Attack Vector

Exploitation requires the attacker to supply JavaScript to a vm2 sandbox. No authentication or user interaction is required when the host application exposes a remote interface that forwards input to vm2. Once the crafted script runs, it pivots from a sandboxed value to a host reference and invokes Node.js child process APIs to run shell commands.

Refer to the GitHub Security Advisory GHSA-76w7-j9cq-rx2j for the upstream technical description.

Detection Methods for CVE-2026-47208

Indicators of Compromise

  • Node.js processes spawning unexpected child processes such as sh, bash, cmd.exe, or powershell.exe shortly after handling user-submitted scripts.
  • Outbound network connections from Node.js workers to attacker-controlled infrastructure following sandbox evaluation requests.
  • New files written under application working directories or /tmp immediately after vm2 evaluation calls.

Detection Strategies

  • Inventory all Node.js applications and identify dependencies on vm2 below version 3.11.4 using software composition analysis.
  • Inspect application logs for sandbox evaluation errors, prototype access exceptions, or repeated input that references constructor, prototype, or process.
  • Correlate process ancestry to flag any shell or interpreter spawned by a Node.js parent that normally does not fork external commands.

Monitoring Recommendations

  • Enable EDR process telemetry on hosts running Node.js services and alert on child process creation from sandbox workers.
  • Forward application and host telemetry to a centralized data lake for retroactive hunting once new exploitation patterns surface.
  • Monitor egress traffic from sandbox hosts and alert on connections to non-allowlisted destinations.

How to Mitigate CVE-2026-47208

Immediate Actions Required

  • Upgrade vm2 to version 3.11.4 or later across all production and development environments.
  • Audit transitive dependencies because vm2 is frequently pulled in by template engines and workflow libraries.
  • Restrict the Node.js process running vm2 with least-privilege accounts and filesystem permissions to limit post-exploitation impact.

Patch Information

The maintainers released the fix in vm2 v3.11.4. The corresponding source change is available in GitHub commit a4626550. Given the vm2 project's history of repeated sandbox escapes, teams should also evaluate migrating to actively maintained alternatives such as isolated-vm or process-level isolation using containers.

Workarounds

  • Disable any application feature that evaluates untrusted JavaScript through vm2 until the upgrade is deployed.
  • Move untrusted code execution into a separate, isolated process or container with no access to sensitive credentials or networks.
  • Apply strict input validation and length limits on scripts submitted to evaluation endpoints to reduce the practical attack surface.
bash
# Upgrade vm2 to the patched release
npm install vm2@3.11.4
npm audit --production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne